Professional Documents
Culture Documents
Plaintiff,
CLASS REPRESENTATION
v.
Defendant.
Plaintiff Michelle Lynn Sutherland (“Plaintiff”), individually, and on behalf of all others
similarly situated, brings this action against the Lexington Medical Center (“LMC”). Plaintiff
brings this action by and through her attorneys, and allege, based upon personal knowledge as to
her own actions, and based upon information and belief and reasonable investigation by their
I. INTRODUCTION
South Carolina that includes a teaching hospital, five medical centers, seventy doctor’s offices, an
occupational health center, and a specialized care center for Alzheimer’s 1. LMC employs more
than 8,000 people, treats almost 100,000 patients per year, and performs 25,000 surgeries annually.
Id.
2. As part of its operations, LMC collects, maintains, and stores highly sensitive
personal and medical information belonging to its patients, including, but not limited to their full
1
See https://www.lexmed.com/about/ (last accessed Feb. 23, 2024).
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 2 of 38
names, Social Security numbers, dates of birth, (collectively, “personally identifying information”
or “PII”), medical record numbers, health insurance information, and other protected health
Information”).
unauthorized cybercriminals accessed one LMC employee’s email account and individual data
drive which included Private Information belonging to Plaintiff and Class members (the “Data
Breach”). On January 18, 2024, a subsequent investigation by LMC determined that this
employee’s email account and data drive contained a number of files that included the Private
4. On February 12, 2024, LMC sent a notice to individuals whose information was
accessed in the Data Breach (the “Data Breach Notice”). An exemplar of the Data Breach Notice
issued by Defendant and filed with the Vermont Attorney General’s Office is attached hereto as
Exhibit A.
5. Because LMC stored and handled Plaintiff’s and Class members’ highly-sensitive
Private Information, it had a duty and obligation to safeguard this information and prevent
breached LMC’s information systems and databases and had access to vast quantities of Private
Information belonging to LMC’s patients, including Plaintiff and Class members. The Data Breach
was the direct, proximate, and foreseeable results of multiple failings on the part of LMC.
7. The Data Breach occurred because LMC failed to implement reasonable security
protections to safeguard its information systems and databases. Moreover, before the Data Breach
2
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 3 of 38
occurred, LMC failed to inform the public that its data security practices were deficient and
inadequate. Had Plaintiff and Class members been made aware of this fact, they would have never
to adequately satisfy its contractual, statutory, and common-law obligations, Plaintiff and Class
• Charges and fees associated with fraudulent charges on their accounts; and
10. Accordingly, Plaintiff brings this action on behalf of all those similarly situated to
seek relief for the consequences of LMC’s failure to reasonably safeguard Plaintiff’s and Class
members’ Private Information; its failure to reasonably provide timely notification to Plaintiff and
Class members that their Private Information had been compromised; and for LMC’s failure to
3
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 4 of 38
inform Plaintiff and Class members concerning the status, safety, location, access, and protection
II. PARTIES
11. Plaintiff Sutherland is a resident and citizen of Lexington, South Carolina. Plaintiff
Sutherland was a patient at LMC. Plaintiff Sutherland received LMC’s Data Breach Notice.
Defendant LMC.
12. The LMC is a South Carolina non-profit with its principal place of business located
at 2720 Sunset Blvd W. Columbia, South Carolina 29169. LMC conducts business in this District
13. This Court has subject-matter jurisdiction pursuant to the Class Action Fairness Act
of 2005 (“CAFA”), 28 U.S.C. § 1332(d)(2), because this is a class action in which the matter in
controversy exceeds the sum of $5,000,000, the number of class members exceeds 100, and at
least one Class member is a citizen of a state different from LMC. This Court also has supplemental
jurisdiction pursuant to 28 U.S.C. § 1367(a) because all claims alleged herein form part of the
14. This Court has personal jurisdiction over LMC because LMC is headquartered in
South Carolina.
15. Venue is proper in this District under 28 U.S.C. § 1391(b)(2) because a substantial
part of the events or omissions giving rise to Plaintiff’s and Class members’ claims occurred in
4
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 5 of 38
A. LMC – Background
16. LMC is a healthcare network based out of West Columbia, South Carolina that
includes a teaching hospital, five medical centers, seventy doctor’s offices, an occupational health
center, and a specialized care center for Alzheimer’s 2. As part of its normal operations, LMC
collects, maintains, and stores large volumes of Private Information belonging to its current and
former patients.
17. Current and former patients of LMC, such as Plaintiff and Class members, made
their Private Information available to LMC with the reasonable expectation that any entity with
access to this information would keep that sensitive and personal information confidential and
secure from illegal and unauthorized access. They similarly expected that, in the event of any
unauthorized access, these entities would provide them with prompt and accurate notice.
18. This expectation was objectively reasonable and based on an obligation imposed
on LMC by statute, regulations, industrial custom, and standards of general due care.
19. Unfortunately for Plaintiff and Class members, LMC failed to carry out its duty to
safeguard sensitive Private Information and provide adequate data security, which resulted in
cybercriminals accessing the Private Information of LMC’s current and former patients—Plaintiff
employee’s email account and individual data drive information systems on or about October 4,
2
See https://www.lexmed.com/about/ (last accessed Feb. 23, 2024).
5
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 6 of 38
2023. On January 18, 2024, after an extensive forensic investigation and manual document review,
LMC discovered that its employee’s email account and associated individual drive contained
21. On February 12, 2024, LMC sent notice of the Data Breach to all individuals
affected by this data security incident. Notably, the Data Breach Notice does not indicate that
hackers did not exfiltrate patient PII and/or PHI—only that LMC currently has “no way to
determine with certainty whether the unauthorized party accessed these specific file[,]” and that
22. LMC estimates that the Private Information belonging to at least 1.7 million
23. LMC collects and maintains vast quantities of Private Information belonging to
Plaintiff and Class members as part of its normal operations. The Data Breach occurred as direct,
25. Second, LMC failed to inform the public that its data security practices were
deficient and inadequate. Had Plaintiff and Class members been aware that LMC did not have
adequate safeguards in place to protect such sensitive Private Information, they would have never
6
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 7 of 38
26. In addition to the failures that lead to the successful breach, LMC’s failings in
handling the breach and responding to the incident exacerbated the resulting harm to the Plaintiff
27. LMC’s delay in informing victims of the Data Breach that their Private Information
was compromised virtually ensured that the cybercriminals had access to this Private Information
could monetize, misuse and/or disseminate that Private Information before the Plaintiff and Class
members could take affirmative steps to protect their sensitive information. As a result, Plaintiff
and Class members will suffer indefinitely from the substantial and concrete risk that their
28. Plaintiff’s and Class members’ Private Information was exposed to cybercriminals
for the express purpose of misusing the data. As a consequence, they face the real, immediate, and
likely danger of identity theft and misuse of their Private Information. And this can, and in some
circumstances already has, caused irreparable harm to their personal, financial, reputational, and
future well-being. This harm is even more acute because much of the Private Information, such as
29. In short, LMC’s myriad failures, including the failure to timely notify Plaintiff and
Class members that their personal and medical information had been exposed due to LMC’s
Plaintiff’s and Class members’ Private Information for four months before LMC finally granted
victims the opportunity to take proactive steps to defend themselves and mitigate the near- and
7
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 8 of 38
30. Data breaches have become a constant threat that, without adequate safeguards, can
expose personal data to malicious actors. It is well known that PII, and Social Security numbers in
31. In 2022, the Identity Theft Resource Center’s Annual End-of-Year Data Breach
Report listed 1,802 total compromises involving 422,143,312 victims for 2022, which was just 50
compromises short of the current record set in 2021. 3 The HIPAA Journal’s 2022 Healthcare Data
Breach Report reported 707 compromises involving healthcare data, which is just 8 shy of the
record of 715 set in 2021 and still double that of the number of similar such compromises in 2017
32. Statista, a German entity that collects and markets data relating to, among other
things, data breach incidents and the consequences thereof, confirms that the number of data
breaches has been steadily increasing since it began a survey of data compromises in 2005 with
157 compromises reported that year, to a peak of 1,862 in 2021, to 2022’s total of 1,802. 5 The
number of impacted individuals has also risen precipitously from approximately 318 million in
3
2022 End of Year Data Breach Report, Identity Theft Resource Center (January 25, 2023), available at:
https://www.idtheftcenter.org/publication/2022-data-breach-
report/?utm_source=press+release&utm_medium=web&utm_campaign=2022+Data+Breach+Report.
4
2022 Healthcare Data Breach Report, The HIPAA Journal (January 24, 2023), available at:
https://www.hipaajournal.com/2022-healthcare-data-breach-report/.
5
Annual Number of Data Breaches and Exposed Records in the United States from 2005 to 2022,
Statista, available at: https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-
states-by-number-of-breaches-and-records-exposed/.
6
Id.
8
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 9 of 38
33. This stolen PII is then routinely traded on dark web black markets as a simple
commodity, with social security numbers being so ubiquitous to be sold at as little as $2.99 apiece
number belies the ubiquity of stolen numbers on the dark web. Criminals and other unsavory
groups can fraudulently take out loans under the victims’ name, open new lines of credit, and cause
[a] dishonest person who has your Social Security number can use it to get other
personal information about you. Identity thieves can use your number and your
good credit to apply for more credit in your name. Then, they use the credit cards
and don’t pay the bills, it damages your credit. You may not find out that someone
is using your number until you’re turned down for credit, or you begin to get calls
from unknown creditors demanding payment for items you never bought. Someone
7
What is your identity worth on the dark web? Cybernews (September 28, 2021), available at:
https://cybernews.com/security/whats-your-identity-worth-on-dark-web/.
9
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 10 of 38
illegally using your Social Security number and assuming your identity can cause
a lot of problems. 8
This is exacerbated by the fact that the problems arising from a compromised social security
number are exceedingly difficult to resolve. A victim is forbidden from proactively changing his
or her number unless and until it is actually misused and harm has already occurred. And even this
delayed remedial action is unlikely to undo the damage already done to the victims:
Keep in mind that a new number probably won’t solve all your problems. This is
because other governmental agencies (such as the IRS and state motor vehicle
agencies) and private businesses (such as banks and credit reporting companies)
will have records under your old number. Along with other personal information,
credit reporting companies use the number to identify your credit record. So using
a new number won’t guarantee you a fresh start. This is especially true if your other
personal information, such as your name and address, remains the same. 9
35. The most sought after and expensive information on the dark web are stolen
medical records which command prices from $250 to $1,000 each. 10 Medical records are
considered the most valuable because unlike credit cards, which can easily be canceled, and social
security numbers, which can be changed, medical records contain “a treasure trove of unalterable
data points, such as a patient’s medical and behavioral health history and demographics, as well
as their health insurance and contact information.” 11 With this bounty of ill-gotten information,
cybercriminals can steal victims’ public and insurance benefits and bill medical charges to victims’
accounts. 12 Cybercriminals can also change the victims’ medical records, which can lead to
8
United States Social Security Administration, Identity Theft and Your Social Security Number, United
States Social Security Administration (July 2021), available at: https://www.ssa.gov/pubs/EN-05-
10064.pdf.
9
Id.
10
Paul Nadrag, Capsule Technologies, Industry Voices—Forget credit card numbers. Medical records
are the hottest items on the dark web, Fierce Healthcare (January 26, 2021), available at:
https://www.fiercehealthcare.com/hospitals/industry-voices-forget-credit-card-numbers-medical-records-
are-hottest-items-dark-web.
11
Id.
12
Medical Identity Theft in the New Age of Virtual Healthcare, IDX (March 15, 2021), available at
https://www.idx.us/knowledge-center/medical-identity-theft-in-the-new-age-of-virtual-healthcare. See
10
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 11 of 38
misdiagnosis or mistreatment when the victims seek medical treatment. 13 Victims of medical
identity theft could even face prosecution for drug offenses when cybercriminals use their stolen
identity theft and the damage resulting from medical identity theft is routinely far more serious
than the harm resulting from the theft of simple PII. Victims of medical identity theft spend an
average of $13,500 to resolve problems arising from medical identity theft and there are currently
no laws limiting a consumer’s liability for fraudulent medical debt (in contrast, a consumer’s
liability for fraudulent credit card charges is capped at $50). 15 It is also “considerably harder” to
reverse the damage from the aforementioned consequences of medical identity theft. 16
37. Instances of Medical identity theft have grown exponentially over the years from
approximately 6,800 cases in 2017 to just shy of 43,000 in 2021, which represents a seven-fold
38. In light of the dozens of high-profile health and medical information data breaches
that have been reported in recent years, entities like LMC charged with maintaining and securing
patient PII should know the importance of protecting that information from unauthorized
disclosure. Indeed, LMC knew, or certainly should have known, of the recent and high-profile data
also Michelle Andrews, The Rise of Medical Identity Theft, Consumer Reports (August 25, 2016),
available at https://www.consumerreports.org/health/medical-identity-theft-a1699327549/.
13
Id.
14
Id.
15
Medical Identity Theft, AARP (March 25, 2022), available at: https://www.aarp.org/money/scams-
fraud/info-2019/medical-identity-theft.html.
16
Id.
17
Id.
11
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 12 of 38
breaches in the health care industry: UnityPoint Health, Lifetime Healthcare, Inc., Community
Health Systems, Kalispell Regional Healthcare, Anthem, Premera Blue Cross, and many others. 18
39. In addition, the Federal Trade Commission (“FTC”) has brought dozens of cases
against companies that have engaged in unfair or deceptive practices involving inadequate
information against LabMD, Inc., SkyMed International, Inc., and others. The FTC publicized
these enforcement actions to place companies like LMC on notice of their obligation to safeguard
40. Given the nature of LMC’s Data Breach, as well as the length of the time LMC’s
networks were breached and the long delay in notification to victims thereof, it is foreseeable that
the compromised Private Information has been or will be used by hackers and cybercriminals in a
variety of devastating ways. Indeed, the cybercriminals who possess Plaintiff’s and Class
members’ Private Information can easily obtain Plaintiff’s and Class members’ tax returns or open
41. Based on the foregoing, the information compromised in the Data Breach is
significantly more valuable than the loss of, for example, credit card information in a retailer data
breach, because credit card victims can cancel or close credit and debit card accounts. 20 The
18
See, e.g., Healthcare Data Breach Statistics, HIPAA Journal, available at:
https://www.hipaajournal.com/healthcare-data-breach-statistics.
19
See, e.g., In the Matter of SKYMED INTERNATIONAL, INC., C-4732, 1923140 (F.T.C. Jan. 26, 2021).
20
See Jesse Damiani, Your Social Security Number Costs $4 On The Dark Web, New Report Finds,
Forbes (Mar 25, 2020), available at https://www.forbes.com/sites/jessedamiani/2020/03/25/your-social-
security-number-costs-4-on-the-dark-web-new-report-finds/?sh=6a44b6d513f1. See also Why Your Social
Security Number Isn’t as Valuable as Your Login Credentials, Identity Theft Resource Center (June 18,
2021), available at https://www.idtheftcenter.org/post/why-your-social-security-number-isnt-as-valuable-
as-your-login-credentials/.
12
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 13 of 38
information compromised in this Data Breach is impossible to “close” and difficult, if not
impossible, to change.
42. Indeed, according to the Data Breach Notice Defendant disseminated in February
2024, Defendant’s forensic examination concluded that “the files accessed during the Breach
include billing-related documents that may have included [Class Members’] full name, date of
birth, medical record number, health insurance identification number, patient charge descriptor
information, and billing codes.” Contemporaneous news reports also indicate that hackers may
43. Although Defendant contends that electronic medical records were not accessed
during the Data Breach, hackers nevertheless managed to access a treasure trove of valuable and
highly-sensitive PII and PHI. For example, a stolen health insurance identification number coupled
with even minimal PII can be used to submit fraudulent insurance claims for prescription drugs,
44. The additional categories of PHI compromised in the Data Breach would further
facilitate those efforts. Patient charge descriptor information provides a detailed narrative of the
services or procedures performed, including the specific details of the treatment, diagnosis, or tests
conducted, and are typically written in plain language that is easily understandable by patients and
non-medical professionals. Patient billing codes likewise provide considerable insight into a
patient’s medical treatment history, because billing codes used for purposes of reimbursement
from Medicare and private health insurers tend to be uniform in order to streamline billing and
reimbursement efforts.
45. When these sources of information are coupled with a patient’s name, date of birth
and medical record number—a unique identification number used to identify patients across the
13
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 14 of 38
U.S. medical system and associate medical records compiled by their various healthcare
individuals that can then be used to perpetrate health care fraud in their names.
46. Despite the prevalence of public announcements of data breach and data security
compromises, its own acknowledgment of the risks posed by data breaches, and its own
acknowledgment of its duties to keep Private Information private and secure, LMC failed to take
appropriate steps to protect the Private Information of Plaintiff and Class members from
misappropriation. As a result, the injuries to Plaintiff and Class members were directly and
proximately caused by LMC’s failure to implement or maintain adequate data security measures
47. LMC has an obligation to protect the Private Information belonging to Plaintiff and
Class members. First, this obligation was mandated by government regulations and state laws,
including HIPAA and FTC rules and regulations. Second, this obligation arose from industry
standards regarding the handling of sensitive PII and medical records. Third, LMC imposed such
an obligation on itself with its promises regarding the safe handling of data. Plaintiff and Class
members provided, and LMC obtained, their information on the understanding that it would be
48. HIPAA requires, inter alia, that Covered Entities and Business Associates
implement and maintain policies, procedures, systems and safeguards that ensure the
confidentiality and integrity of consumer and patient PII and PHI, protect against any reasonably
anticipated threats or hazards to the security or integrity of consumer and patient PII and PHI,
14
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 15 of 38
regularly review access to data bases containing protected information, and implement procedures
and systems to detect, contain, and correct any unauthorized access to protected information. See
49. HIPAA, as applied through federal regulations, also requires private information to
50. The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires entities to
provide notice of a data breach to each affected individual “without unreasonable delay and in no
case later than 60 days following discovery of the breach” (emphasis added).
51. LMC failed to implement and/or maintain procedures, systems, and safeguards to
protect the Private Information belonging to Plaintiff and Class members from unauthorized access
and disclosure.
52. Upon information and belief, LMC’s security failures include, but are not limited
to:
15
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 16 of 38
53. Upon information and belief, LMC also failed to store the information it collected
54. LMC also violated the HIPAA Breach Notification Rule since it did not inform
Plaintiff and Class members about the breach until 130 days after it first discovered the breach.
55. The FTC has promulgated numerous guides for businesses that highlight the
importance of implementing reasonable data security practices. According to the FTC, the need
for data security should be factored into all business decision making. Indeed, the FTC has
concluded that a company’s failure to maintain reasonable and appropriate data security for
Federal Trade Commission Act (“FTCA”), 15 U.S.C. § 45. See, e.g., FTC v. Wyndham Worldwide
16
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 17 of 38
56. In 2016, the FTC updated its publication, Protecting Personal Information: A
Guide for Business, which established guidelines for fundamental data security principles and
practices for business. 21 The guidelines note businesses should protect the personal information
that they keep; properly dispose of personal information that is no longer needed; encrypt
implement policies to correct security problems. 22 The guidelines also recommend that businesses
use an intrusion detection system to expose a breach as soon as it occurs; monitor all incoming
traffic for activity indicating someone is attempting to hack the system; watch for large amounts
of data being transmitted from the system; and have a response plan ready in the event of a
breach. 23 LMC clearly failed to do any of the foregoing, as evidenced by the delay in notifying the
57. The FTC further recommends that companies not maintain PII longer than is
needed for authorization of a transaction, limit access to sensitive data, require complex passwords
to be used on networks, use industry-tested methods for security, monitor the network for
suspicious activity, and verify that third-party service providers have implemented reasonable
security measures.
58. The FTC has brought enforcement actions against businesses for failing to
adequately and reasonably protect customer data by treating the failure to employ reasonable and
21
Protecting Personal Information: A Guide for Business, Federal Trade Comm’n
(October 2016), available at https://www.ftc.gov/tips-advice/business-center/guidance/protecting-
personal-information-guide-business (last accessed August 15, 2023).
22
Id.
23
Id.
17
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 18 of 38
unfair act or practice prohibited by the FTCA. Orders resulting from these actions further clarify
the measures businesses must take to meet their data security obligations.
59. Additionally, the FTC Health Breach Notification Rule obligates companies that
suffered a data breach to provide notice to every individual affected by the data breach, as well as
notifying the media and the FTC. See 16 CFR 318.1, et seq.
60. As evidenced by the Data Breach, LMC failed to properly implement basic data
security practices. LMC’s failure to employ reasonable and appropriate measures to protect against
unauthorized access to Plaintiff’s and Class members’ Private Information constitutes an unfair
61. LMC was fully aware of its obligation to protect the Private Information of its
current and former patients, including Plaintiff and Class members. LMC is a sophisticated and
technologically savvy business that relies extensively on technology systems and networks to
maintain its practice, including storing its patients’ PII, protected health information, and medical
62. LMC had and continues to have a duty to exercise reasonable care in collecting,
storing, and protecting the Private Information from the foreseeable risk of a data breach. The duty
arises out of the special relationship that exists between LMC and Plaintiff and Class members.
LMC alone had the exclusive ability to implement adequate security measures to its cyber security
network to secure and protect Plaintiff’s and Class members’ Private Information.
being particularly vulnerable to cyberattacks because of the value of the Private Information which
18
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 19 of 38
64. Some industry best practices that should be implemented by businesses dealing
with sensitive Private Information, like LMC, include but are not limited to: educating all
employees, strong password requirements, multilayer security including firewalls, anti-virus and
which employees can access sensitive data. As evidenced by the Data Breach, LMC failed to
65. Other best cybersecurity practices that are standard in the industry include:
installing appropriate malware detection software; monitoring and limiting network ports;
protecting web browsers and email management systems; setting up network systems such as
firewalls, switches, and routers; monitoring and protecting physical security systems; and training
staff regarding these points. As evidenced by the Data Breach, LMC failed to follow these
66. LMC should have also followed the minimum standards of any one of the following
frameworks: the NIST Cybersecurity Framework Version 1.1 (including without limitation
PR.PT-1, PR.PT-3, DE.CM-1, DE.CM-4, DE.CM-7, DE.CM-8, and RS.CO-2), and the Center for
Internet Security’s Critical Security Controls (CIS CSC), which are all established standards in
67. LMC failed to comply with these accepted standards, thereby permitting the Data
Breach to occur.
24
See https://www.lexmed.com/docs/privacy/Lexmed-privacypractices.pdf (last accessed Feb. 23, 2024).
19
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 20 of 38
a. [LMC] is required by law to “ensure that health information that identifies you
disclosed by law.”
b. “[LMC] will not use or disclose your health information without your prior
69. LMC failed to live up to its own stated policies and promises with regards to data
privacy and data security as cybercriminals were able to infiltrate its systems gain access to the
F. Plaintiff and the Class Suffered Harm Resulting from the Data Breach
70. Like any data hack, the Data Breach presents major problems for all affected. 25
71. The FTC warns the public to pay particular attention to how they keep personally
identifying information including Social Security numbers and other sensitive data. As the FTC
notes, “once identity thieves have your personal information, they can drain your bank account,
run up charges on your credit cards, open new utility accounts, or get medical treatment on your
health insurance.” 26
72. The ramifications of LMC’s failure to properly secure Plaintiff’s and Class
members’ Private Information are severe. Identity theft occurs when someone uses another
person’s financial, and personal information, such as that person’s name, address, Social Security
number, and other information, without permission in order to commit fraud or other crimes.
73. According to data security experts, one out of every four data breach notification
25
Paige Schaffer, Data Breaches' Impact on Consumers, Insurance Thought Leadership (July 29, 2021),
available at https://www.insurancethoughtleadership.com/cyber/data-breaches-impact-consumers.
26
Warning Signs of Identity Theft, Federal Trade Comm’n, available at
https://www.identitytheft.gov/#/Warning-Signs-of-Identity-Theft.
20
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 21 of 38
74. Furthermore, PII has a long shelf-life because it contains different forms of personal
information, it can be used in more ways than one, and it typically takes time for an information
breach to be detected.
75. Accordingly, LMC’s wrongful actions and/or inaction and the resulting Data
Breach have also placed Plaintiff and the Class at an imminent, immediate, and continuing
increased risk of identity theft and identity fraud. According to a recent study published in the
scholarly journal Preventive Medicine Reports, public and corporate data breaches correlate to an
increased risk of identity theft for victimized consumers. 27 The same study also found that identity
theft is a deeply traumatic event for the victims, with more than a quarter of victims still
experiencing sleep problems, anxiety, and irritation even six months after the crime. 28
76. There is also a high likelihood that significant identity fraud and/or identity theft
has not yet been discovered or reported. Even data that has not yet been exploited by
cybercriminals presents a concrete risk that the cybercriminals who now possess Class members’
77. Data breaches have also proven to be costly for affected organizations as well, with
the average cost to resolve being $4.45 million dollars in 2023. 29 The average cost to resolve a
data breach involving health information, however, is more than double this figure at $10.92
million.30
27
David Burnes, Marguerite DeLiema, Lynn Langton, Risk and protective factors of identity theft
victimization in the United States, Preventive Medicine Reports, Volume 17 (January 23, 2020), available
at https://www.sciencedirect.com/science/article/pii/S2211335520300188?via%3Dihub.
28
Id.
29
Cost of a Data Breach Report 2023, IBM Security, available at https://www.ibm.com/reports/data-
breach?utm_content=SRCWW&p1=Search&p4=43700072379268622&p5=p&gclid=CjwKCAjwxOymB
hAFEiwAnodBLGiGtWfjX0vRlNbx6p9BpWaOo9eZY1i6AMAc6t9S8IKsxdnbBVeUbxoCtk8QAvD_B
wE&gclsrc=aw.ds.
30
Id.
21
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 22 of 38
78. The theft of medical information, beyond the theft of more traditional forms of PII,
is especially harmful for victims. Medical identity theft, the misuse of stolen medical records and
information, has seen a seven-fold increase over the last five years and this explosive growth far
outstrips the increase in incidence of traditional identity theft. 31 Medical Identity Theft is especially
nasty for victims because of the lack of laws that limit a victim’s liabilities and damages from this
type of identity theft (e.g., a victim’s liability for fraudulent credit card charges is capped at $50),
the unalterable nature of medical information, the sheer costs involved in resolving the fallout from
a medical identity theft (victims spend, on average, $13,500 to resolve problems arising from this
79. Here, due to the Breach, Plaintiff and Class members have been exposed to injuries
b. Costs associated with the detection and prevention of identity theft and
unauthorized use of financial accounts as a direct and proximate result of
the Private Information accessed during the Data Breach;
c. Damages arising from the inability to use accounts that may have been
compromised during the Data Breach;
d. Costs associated with time spent to address and mitigate the actual and
future consequences of the Data Breach, such as finding fraudulent charges,
cancelling and reissuing payment cards, purchasing credit monitoring and
identity theft protection services, placing freezes and alerts on their credit
reports, contacting their financial institutions to notify them that their
personal information was exposed and to dispute fraudulent charges,
imposition of withdrawal and purchase limits on compromised accounts,
including but not limited to lost productivity and opportunities, time taken
from the enjoyment of one’s life, and the inconvenience, nuisance, and
annoyance of dealing with all issues resulting from the Data Breach, if they
31
Medical Identity Theft, AARP (March 25, 2022), available at: https://www.aarp.org/money/scams-
fraud/info-2019/medical-identity-theft.html.
32
Id.
22
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 23 of 38
were fortunate enough to learn of the Data Breach despite LMC’s delay in
disseminating notice in accordance with state law;
e. The imminent and impending injury resulting from potential fraud and
identity theft posed because their Private Information is exposed for theft
and sale on the dark web; and
80. Plaintiff and Class members have suffered imminent and impending injury arising
from the substantially increased risk of fraud, identity theft, and misuse resulting from their Private
Information being accessed by cybercriminals, risks that will not abate within the limited time of
81. As a direct and proximate result of LMC’s acts and omissions in failing to protect
and secure Private Information, Plaintiff and Class members have been placed at a substantial risk
of harm in the form of identity theft, and they have incurred and will incur actual damages in an
82. Plaintiff retains an interest in ensuring there are no future breaches, in addition to
seeking a remedy for the harms suffered as a result of the Data Breach on behalf of both themselves
and similarly situated individuals whose Private Information was accessed in the Data Breach.
83. Plaintiff Sutherland is a current patient at LMC and has been for many years.
84. Plaintiff Sutherland received LMC’s data breach notice. The notice informed
Plaintiff Sutherland that her Private Information may have been improperly accessed by third
parties, including but not limited to Plaintiff Sutherland’s full name, date of birth, medical record
number, health insurance identification number, patient charge descriptor information, and billing
codes.
23
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 24 of 38
85. After the breach, Plaintiff Sutherland noticed a dramatic increase in suspicious
activities including spam phone calls, marketing emails, and spam text messages. Plaintiff
86. As a result of the Data Breach, Plaintiff Sutherland has made reasonable efforts to
mitigate the impact of the Data Breach, including, but not limited to, researching the Data Breach
and reviewing credit reports and financial account statements for any indications of actual or
attempted identity theft or fraud. Plaintiff Sutherland has also spent several hours dealing with the
Data Breach, valuable time she otherwise would have spent on other activities, including, but not
87. As a result of the Data Breach, Plaintiff Sutherland has suffered anxiety due to the
public dissemination of her personal information, which she believed would be protected from
unauthorized access and disclosure, including anxiety about unauthorized parties viewing, selling,
and using her Private Information for purposes of identity theft and fraud. Plaintiff Sutherland is
concerned about identity theft and fraud, as well as the consequences of such identity theft and
88. Plaintiff Sutherland suffered actual injury from having her Private Information
compromised as a result of the Data Breach including, but not limited to (a) damage to and
diminution in the value of her Private Information, a form of property that LMC obtained from
her; (b) violation of her privacy rights; and (c) present, imminent and impending injury arising
considerable time and money on an ongoing basis to try to mitigate and address harms caused by
24
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 25 of 38
the Data Breach. And, as a result of the Data Breach, she is at a present risk and will continue to
90. Plaintiff brings this action on behalf of herself and, pursuant to Fed. R. Civ. P.
All persons in the United States whose Private Information was accessed
in the Data Breach.
Excluded from the Class are LMC, its executives and officers, and the Judge(s) assigned to this
case. Plaintiff reserves the right to modify, change or expand the Class definition after conducting
discovery.
91. In the alternative, Plaintiff brings this action on behalf of herself and, pursuant to
All persons who are residents of the State of South Carolina whose Private
Information was accessed in the Data Breach (the “South Carolina
Subclass”).
Excluded from the Subclass are LMC, its executives and officers, and the Judge(s) assigned to this
case.
92. Numerosity: Upon information and belief, the Class is so numerous that joinder of
all members is impracticable. The exact number and identities of individual members of the Class
are unknown at this time, such information being in the sole possession of LMC and obtainable by
Plaintiff only through the discovery process. On information and belief, the number of affected
individuals estimated to be 1.7 million. 33 The members of the Class will be identifiable through
33
See https://medriva.com/breaking-news/lexington-medical-center-data-breach-an-in-depth-analysis-
and-practical-advice-on-data-security/ (last upd. Feb. 20, 2024).
25
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 26 of 38
93. Existence and Predominance of Common Questions of Fact and Law: Common
questions of law and fact exist as to all members of the Class. These questions predominate over
the questions affecting individual Class members. These common legal and factual questions
b. Whether hackers obtained Class members’ Private Information via the Data
Breach;
e. Whether LMC knew or should have known that its data security systems
and monitoring processes were deficient;
h. Whether LMC had a legal duty to provide timely and accurate notice of the
Data Breach to Plaintiff and Class members;
i. Whether LMC breached its duty to provide timely and accurate notice of
the Data Breach to Plaintiff and Class members;
j. Whether LMC’s conduct violated the FTCA, HIPAA, and/or the Consumer
Protection Act invoked herein;
o. Whether Plaintiff and Class members are entitled to actual and/or statutory
damages; and
26
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 27 of 38
94. Typicality: Plaintiff’s claims are typical of the claims of the Class as Plaintiff and
all members of the Class had their Private Information compromised in the Data Breach. Plaintiff’s
claims and damages are also typical of the Class because they resulted from LMC’s uniform
wrongful conduct. Likewise, the relief to which Plaintiff is entitled to is typical of the Class
because LMC has acted, and refused to act, on grounds generally applicable to the Class.
do not materially or irreconcilably conflict with the interests of the Class Plaintiff seeks to
represent, Plaintiff has retained counsel competent and highly experienced in complex class action
litigation, and Plaintiff intends to prosecute this action vigorously. Plaintiff and counsel will fairly
and adequately protect the interests of the Class. Neither Plaintiff nor Plaintiff’s counsel have any
interests that are antagonistic to the interests of other members of the Class.
96. Superiority: Compared to all other available means of fair and efficient adjudication
of the claims of Plaintiff and the Class, a class action is superior. The injury suffered by each
individual Class member is relatively small in comparison to the burden and expense of individual
prosecution of the complex and extensive litigation necessitated by LMC’s conduct. It would be
virtually impossible for members of the Class individually to effectively redress the wrongs done
to them. Even if the members of the Class could afford such individual litigation, the court system
could not. Individualized litigation presents a potential for inconsistent or contradictory judgments.
Individualized litigation increases the delay and expense to all parties and to the court system
presented by the complex legal and factual issues of the case. By contrast, the class action device
presents far fewer management difficulties, and provides the benefits of single adjudication,
27
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 28 of 38
economy of scale, and comprehensive supervision by a single court. Members of the Class can be
readily identified and notified based on, inter alia, LMC’s records and databases.
COUNT I
NEGLIGENCE
(By Plaintiff on behalf of the Class)
97. Plaintiff incorporates and realleges all allegations above as if fully set forth herein.
98. LMC owes a duty of care to protect the Private Information belonging to Plaintiff
and Class members. LMC also owes several specific duties including, but not limited to, the duty:
f. to promptly notify Plaintiff and Class members of the Data Breach, and to
precisely disclose the type(s) of information compromised.
99. LMC owes this duty because it had a special relationship with Plaintiff’s and Class
members. Plaintiff and Class members entrusted their Private Information to LMC on the
understanding that adequate security precautions would be taken to protect this information.
Furthermore, only LMC had the ability to protect its systems and the Private Information stored
28
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 29 of 38
100. LMC also owes this duty because industry standards mandate that LMC protect its
101. LMC also owes a duty to timely disclose any unauthorized access and/or theft of
the Private Information belonging to Plaintiff and Class members. This duty exists to provide
Plaintiff and Class members with the opportunity to undertake appropriate measures to mitigate
damages, protect against adverse consequences, and thwart future misuse of their Private
Information.
102. LMC breached its duties owed to Plaintiff and Class members by failing to take
reasonable appropriate measures to secure, protect, and/or otherwise safeguard their Private
Information.
103. LMC also breached the duties it owed to Plaintiff and Class members by failing to
timely and accurately disclose to them that their Private Information had been improperly acquired
and/or accessed.
104. As a direct and proximate result of LMC’s conduct, Plaintiff and Class members
were damaged. These damages include, and are not limited to:
29
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 30 of 38
105. Plaintiff and Class members were foreseeable victims of any inadequate security
practices on the part of LMC and the damages they suffered were the foreseeable result of the
106. In failing to provide prompt and adequate individual notice of the Data Breach,
LMC also acted with reckless disregard for the rights of Plaintiff and Class members.
107. Plaintiff and the Class are entitled to damages in an amount to be proven at trial
and injunctive relief requiring LMC to, inter alia, strengthen its data security systems and
monitoring procedures, conduct periodic audits of those systems, and provide lifetime credit
COUNT II
NEGLIGENCE PER SE
(By Plaintiff on behalf of the Class)
108. Plaintiff incorporates and realleges all allegations above as if fully set forth herein.
109. Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45, imposes a duty on
LMC to provide fair and adequate data security to secure, protect, and/or otherwise safeguard the
111. HIPAA also requires LMC to render unusable, unreadable, or indecipherable all
Private Information it collected. LMC was required to do so through “the use of an algorithmic
process to transform data into a form in which there is a low probability of assigning meaning
without the use of a confidential process or key.” See definition of “encryption” at 45 C.F.R. §
164.304.
30
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 31 of 38
112. In the event of a data breach, HIPAA obligates Covered Entities and Business
Associates to notify affected individuals, prominent media outlets, and the Secretary of the
Department of Health and Human Services of the data breach without unreasonable delay and in
no event later than 60 days after discovery of the data breach. 45 CFR § 164.400, et seq.
113. LMC violated the FTCA and HIPAA by failing to provide fair, reasonable, or
adequate computer systems and data security practices to secure, protect, and/or otherwise
114. LMC violated HIPAA by failing to properly encrypt the Private Information it
collected.
115. LMC violated HIPAA by unduly delaying reasonable notice of the actual breach;
116. LMC’s failure to comply with HIPAA and the FTCA constitutes negligence per se.
117. Plaintiff and Class members are within the class of persons that the FTCA and
118. It was reasonably foreseeable that the failure to protect and secure Plaintiff’s and
Class members’ Private Information in compliance with applicable laws and industry standards
119. As a direct and proximate result of LMC’s negligence per se, Plaintiff and Class
members have suffered, and continue to suffer, injuries and damages arising from the unauthorized
access of their Private Information, including but not limited to theft of their personal information,
damages from the lost time and effort to mitigate the impact of the Data Breach, and permanently
31
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 32 of 38
120. Plaintiff and Class members are entitled to damages in an amount to be proven at
trial and injunctive relief requiring LMC to, inter alia, strengthen its data security systems and
monitoring procedures, conduct periodic audits of those systems, and provide lifetime credit
COUNT III
BREACH OF IMPLIED CONTRACT
(By Plaintiff on behalf of the Class)
121. Plaintiff incorporates and realleges all allegations above as if fully set forth herein.
122. Plaintiff and Class members provided LMC with their Private Information.
123. By providing their Private Information, and upon LMC’s acceptance of this
information, Plaintiff and the Class, on one hand, and LMC, on the other hand, entered into
implied-in-fact contracts for the provision of data security, separate and apart from any express
124. The implied contracts between LMC and Plaintiff and Class members obligated
LMC to take reasonable steps to secure, protect, safeguard, and keep confidential Plaintiff’s and
Class members’ Private Information. The terms of these implied contracts are described in federal
laws, state laws, and industry standards, as alleged above. LMC expressly adopted and assented to
these terms in its public statements, representations and promises as described above.
125. The implied contracts for data security also obligated LMC to provide Plaintiff and
Class members with prompt, timely, and sufficient notice of any and all unauthorized access or
126. LMC breached these implied contracts by failing to take, develop and implement
adequate policies and procedures to safeguard, protect, and secure the Private Information
belonging to Plaintiff and Class members; allowing unauthorized persons to access Plaintiff’s and
32
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 33 of 38
Class members’ Private Information; and failing to provide prompt, timely, and sufficient notice
127. As a direct and proximate result of LMC’s breaches of the implied contracts,
Plaintiff and Class members have been damaged as described herein, will continue to suffer
injuries as detailed above due to the continued risk of exposure of Private Information, and are
COUNT IV
UNJUST ENRICHMENT
(By Plaintiff on behalf of the Class)
128. Plaintiff incorporates and realleges all allegations above as if fully set forth herein.
130. Plaintiff and the Class have a legal and equitable interest in their Private
131. LMC was benefitted by the conferral of Plaintiff’s and Class members’ Private
Information and by its ability to retain and use that information. LMC understood that it was in
fact so benefitted.
132. LMC also understood and appreciated that Plaintiff’s and Class members’ Private
Information was private and confidential and its value depended upon LMC maintaining the
133. But for LMC’s willingness and commitment to maintain its privacy and
confidentiality, Plaintiff and Class members would not have provided or authorized their Private
Information to be provided to LMC, and LMC would have been deprived of the competitive and
economic advantages it enjoyed by falsely claiming that its data-security safeguards met
reasonable standards. These competitive and economic advantages include, without limitation,
33
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 34 of 38
wrongfully gaining patients, gaining the reputational advantages conferred upon it by Plaintiff and
Class members, collecting excessive advertising and sales revenues as described herein, monetary
savings resulting from failure to reasonably upgrade and maintain data technology infrastructures,
staffing, and expertise raising investment capital as described herein, and realizing excessive
profits.
134. As a result of LMC’s wrongful conduct as alleged herein (including, among other
things, its deception of Plaintiff, the Class, and the public relating to the nature and scope of the
data breach; its failure to employ adequate data security measures; its continued maintenance and
use of the Private Information belonging to Plaintiff and Class members without having adequate
data security measures; and its other conduct facilitating the theft of that Private Information),
LMC has been unjustly enriched at the expense of, and to the detriment of, Plaintiff and the Class.
135. LMC’s unjust enrichment is traceable to, and resulted directly and proximately
from, the conduct alleged herein, including the compiling and use of Plaintiff’s and Class
members’ sensitive Private Information, while at the same time failing to maintain that information
136. Under the common law doctrine of unjust enrichment, it is inequitable for LMC to
be permitted to retain the benefits it received, and is still receiving, without justification, from
137. The benefit conferred upon, received, and enjoyed by LMC was not conferred
officiously or gratuitously, and it would be inequitable and unjust for LMC to retain the benefit.
138. LMC is therefore liable to Plaintiff and the Class for restitution in the amount of
the benefit conferred on LMC as a result of its wrongful conduct, including specifically the value
34
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 35 of 38
to LMC of the PII and medical information that was accessed in the Data Breach and the profits
139. Plaintiff and Class members are entitled to full refunds, restitution, and/or damages
from LMC and/or an order proportionally disgorging all profits, benefits, and other compensation
140. Plaintiff and Class members may not have an adequate remedy at law against LMC,
and accordingly, they plead this claim for unjust enrichment in addition to, or in the alternative to,
COUNT V
INVASION OF PRIVACY
(By Plaintiff on behalf of the Class)
141. Plaintiff incorporates and realleges all allegations above as if fully set forth herein.
142. Plaintiff and Class members had a reasonable expectation of privacy in the Private
143. By failing to keep Plaintiff’s and Class members’ Private Information safe, and by
misusing and/or disclosing their Private Information to unauthorized parties for unauthorized use,
b. Publicizing private facts about Plaintiff and Class members, which is highly
offensive to a reasonable person.
144. LMC knew, or acted with reckless disregard of the fact that, a reasonable person in
145. LMC invaded Plaintiff’s and Class members’ right to privacy and intruded into
Plaintiff’s and Class members’ private affairs by misusing and/or disclosing their private
35
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 36 of 38
146. As a proximate result of such misuse and disclosures, Plaintiff’s and Class
members’ reasonable expectation of privacy in their Private Information was unduly frustrated and
thwarted. LMC’s conduct amounted to a serious invasion of Plaintiff’s and Class members’
147. In failing to protect Plaintiff’s and Class members’ Private Information, and in
misusing and/or disclosing their Private Information, LMC has acted with malice and oppression
and in conscious disregard of Plaintiff’s and Class members’ rights to have such information kept
confidential and private, in failing to provide adequate notice, and in placing its own economic,
corporate, and legal interests above the privacy interests of its millions of patients. Plaintiff,
therefore, seeks an award of damages, including punitive damages, individually and on behalf of
the Class.
respectfully requests that the Court enter judgment in their favor and against LMC, as follows:
A. That the Court certify this action as a class action, proper and maintainable pursuant
to Rule 23 of the Federal Rules of Civil Procedure; declare that Plaintiff is a proper
class representatives; and appoint Plaintiff’s Counsel as Class Counsel;
C. That the Court grant permanent injunctive relief to prohibit LMC from continuing
to engage in the unlawful acts, omissions, and practices described herein;
D. That the Court award Plaintiff and Class members compensatory, consequential,
and general damages in an amount to be determined at trial;
E. That the Court award Plaintiff and Class members statutory damages, and punitive
or exemplary damages, to the extent permitted by law;
F. That the Court award to Plaintiff the costs and disbursements of the action, along
with reasonable attorneys’ fees, costs, and expenses;
G. That the Court award pre- and post-judgment interest at the maximum legal rate;
36
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 37 of 38
H. That the Court award grant all such equitable relief as it deems proper and just,
including, but not limited to, disgorgement and restitution; and
I. That the Court grant all other relief as it deems just and proper.
Plaintiff, individually and on behalf of the putative Class, demands a trial by jury on all
issues so triable.
Respectfully Submitted,
Daniel O. Herrera*
Nickolas J. Hagman*
Mohammed A. Rathur*
CAFFERTY CLOBES MERIWETHER
& SPRENGEL LLP
135 S. LaSalle, Suite 3210
Chicago, Illinois 60603
Telephone: (312) 782-4880
Facsimile: (312) 782-4485
dherrera@caffertyclobes.com
nhagman@caffertyclobes.com
mrathur@caffertyclobes.com
37
3:24-cv-01016-SAL Date Filed 02/28/24 Entry Number 1 Page 38 of 38
38